A recent OCR action reveals how phishing can jeopardize healthcare businesses. Here's what you can do to protect yourself

Contibutor: Chelsea Ukoha, Law Clerk, Nixon Law Group PLLC

Earlier this year, a federally qualified health center, Metro Community Provider Network (“MCPN”) paid a $400,000 HIPAA breach penalty related to a 2011 phishing attack. In this attack, several MCPN employees had their email accounts hacked by a phisher who was able to gain access to about 3,200 individuals’ PHI.

Although MCPN took prompt action to inform OCR about the breach, after intensive investigation, OCR found that MCPN violated the HIPAA Security Rule since they failed to conduct any proper risk assessments or implement reasonable cybersecurity measures and procedures. In fact, the investigation revealed that MCPN did not conduct any safeguard actions whatsoever until three months after the breach! Consequently, this situation should serve as a lesson to covered entities and business associates about the importance of conducting periodic risk assessments to prevent phishing attacks. 

Phishing attacks have become common in this day and age, and these attacks are a serious problem in the healthcare industry. According to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), phishing is “a social engineering scam” in which scammers (“phishers”) use email, telephone, or text message to trick a person into giving the phisher access to sensitive information or information systems. Phishers often imitate a real person or organization with a legitimate purpose to access such information. For example, a phisher may send an email that looks like it’s from your billing vendor, requesting logon credentials to your EMR. A phisher might call and claim to be from your company’s IT department, requesting access to your internal email system. A phisher might even be able to send an email that looks like it came from your boss, requesting that you download and print a presentation for her—but the “presentation” file is actually a virus that allows the phisher to capture all of the information on your company’s servers. 
    
In the healthcare context, one objective of phishing is to access patient data—this can range from medical record and insurance information to patient demographic data like social security numbers and dates of birth. In some cases, phishers seek to steal and sell the data, and in others, they seek to “take hostage” such data in return for a paid ransom. Regardless of how the phisher uses the data, their access is unauthorized and therefore can constitute a HIPAA breach—a serious scenario for any healthcare business. 

To protect themselves from susceptibility to a phishing attack, covered entities and business associates should:

  • Ensure that their employees receive information security training so they will be able to identify possible phishing attempts, and know how to address such incidents. (Employee HIPAA training is required by the HIPAA Security Rule C.F.R. § 164.308(a)(5)(i)). 
  • Periodically update company software, and computer anti-virus and malware programs.
  • Implement strong security protocols, including multifactor authentication and encryption, to make it difficult for phishers to access or decrypt unauthorized information. (See 45 C.F.R.  §§ 164.308, 164.310, and 164.312).
  • Maintain a compliance team that will exclusively handle IT-related security threats and incidents.
  • Create employee electronic device policies that address risk assessment and reasonable cybersecurity measures.
  • Encourage employees to report any suspicious emails (e.g., emails from unknown or unexpected sources) to the designated compliance team. 

If you have concerns or questions pertaining to phishing incidents, please contact a Nixon Law Group attorney.  And if you haven’t already done so, please sign up for NLG e-mail updates for the latest summaries and other healthcare happenings.